The standards for Incident Handling use different vocabularies, but they also say the same thing.
The table below compares the language used by 4 authorities to describe the incident handling phases. The authorities employ 4, 5, or 6 phases.
Phase | NIST SP 800-61 | ISO 27035 | SANS | ISACA |
---|---|---|---|---|
Before | Prepare | Planning & Preparation | Preparation | Preparation |
During | Detect & Analyze | Identify & Report | Identification | Detect, Triage, & Investigation |
Contain, Eradicate, & Recover | Assess | Containment | Containment, Tracking, Analysis, & Recover | |
Respond | Eradication | |||
Recovery | ||||
After | Review Incident | Learn | Lessons Learned | Post Incident Assessment |
Incident Closure | ||||
Total | 4 Phases | 5 Phases | 6 Phases | 5 Phases |
NIST SP 800-61 Rev 2 Computer Security Incident Handling Guide, 2012.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management, 2011.
http://www.iso.org/iso/catalogue_detail?csnumber=44379
The Incident Handler’s Handbook, 2011.
http://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
Incident Management and Response, 2012.
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Incident-Management-and-Response.aspx
The Response Management Framework aligns well with all of these approaches. Let us apply the framework in a response plan review.